About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail- 1481

Oskar Zeino-Mahmalat - Sonar SourcePosted 1 Year Ago
  • Roundcube is an open source webmail software that enables users to check emails in their browser. Many government agencies use it, making it a good target for exploitation. Naturally, the biggest threat is XSS on an email.
  • Roundcube contains its own email sanitization called washtml, which they couldn't find any vulnerabilities in. Once the sanitization is done though, some modifications were being made. When rendering emails, it doesn't put the content into an iFrame - it just creates a raw HTML page. When rendering, it needs to remove all of the body, head and other tags in it though. This is where the first issue is at.
  • The replacement of tags and values is done using a simple regex. When processing the bgcolor regex, its performing attribute parsing and substitution. The regex /\s?bgcolor=["\']*[a-z0-9#]+["\']*/i handles for all possible delimiters. However, it does not consider the case that bgcolor=XXX could be placed inside of another attribute.
  • The author provides an example of a body field with <body title="bgcolor=foo" name="bar onload=alert(origin)">. The bgcolor and closing double quote are matched and removed. This leads to the new tags looking like <body title="name=" bar onload=alert(origin)">. What's interesting about the regex is that it should only work if it finds the same element (",') to open and close. However, it will happily parse the value with no quotes and close on a quote. Man, regexes are terrible!
  • Clicking on the open button for an attachment simply adds the _download=1 query parameter. The Content-Disposition header will set this as an attachment or inline it. The filename, MIME type and charset are all sent with the data. The MIME type being used has no checks and comes only from the filetype. While html and svgs are sanitized, nothing else is. The author of the post found that XML files could bypass check and still render HTML.
  • This last bug was a known issue but theoretically fixed by disabling the Open button for xml files. If it was possible to get a link to the file directly, the XSS would be possible but IMAP uses a random ID. Since Roundcube is missing good protections like CSP and sandboxing, the author looked to find a way to leak this link.
  • The main defense against CSS leaks is via a regex-based blocklist filter on the CSS text. It tries to ban usages of url() and @import for remote connections. For @import rules, the word is blocked except when followed by an a to allow for the important keyword. Notably, a stripped down version of CSS is being verified and not the full CSS page.
  • The allowance of an a for important and the normalization for verification allows for the usage of import aevil.com! Now, using previously known techniques, we can leak the UUID from the page via CSS. Using the same vulnerability, styles can be added to make a link in the email to overlay all elements that will redirect to the XML XSS page. If you don't fix the root cause of the problem, then you're going to get hit!
  • A service worker is a script stored in the browser for every HTTP request on a page. Being able to control a service worker would mean a permanent backdoor, unlike normal stored XSS. The specification tries to mitigate this risk by forcing the service worker script to be hosted on the same origin and be served with a JS content-type header. In the case of RoundCube, attackers can serve arbitrary JS files as attachments from the previous bug with the JavaScript content-type. Using one of the two XSS from above, an attacker could register a malicious service worker for a permanent backdoor. Nasty!
  • Bug 1 was fixed by properly escaping attributes and stopping usage of the bad regex. Bug 2 was fixed by changing dangerous MIME types to text/plain. Bug 3 was fixed by looking for @import and not stripping the CSS before checks. The author mentions that this would have been better if sandboxing or a good CSP was used too. Overall, an awesome post on a series of weird and novel bugs. I like the destruction of the regex parsers here - definitely something to keep an eye out for.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed